Some new CVEs publicly dropped for upstream Ruby on April 23, 2024:
- CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
- CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
- CVE-2024-27280: Buffer overread vulnerability in StringIO
Our in-tree dev-lang/ruby that are impacted need to be bumped to the new patched versions:
- 3.0.7
- 3.1.5
- 3.2.4
3.3.1 will be handled in FL-11914
- relates to
-
FL-11914 [ruby-kit] Add Ruby 3.3.1 and all releated new Ruby dependencies to Funtoo
- In Progress